Overview

overview

10

Static

static

bcdac1a2b6...c8.exe

windows7_x64

10

bcdac1a2b6...c8.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

  • Size

    60KB

  • Sample

    200630-apfcafw6ms

  • MD5

    0ed2ca539a01cdb86c88a9a1604b2005

  • SHA1

    4fed7eae00bfa21938e49f33b7c6794fd7d0750c

  • SHA256

    bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

  • SHA512

    34dad101cd7c5f9ff2267674d224986b9274e0e17d9ae665ca1af4ffa57408106238b1e248045465ab17c72a4b92473ab3714aefb705d95f9725a4251379c7e2

Score
10/10
wastedlockerdiscoveryexploitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\JoinExport.html.txt

Family

wastedlocker

Ransom Note
BBA Aviation YOUR NETWORK IS ENCRYPTED NOW USE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]sokp3AknKPVKOBuf+KiKHhVm3kMMqxTldtzJzt1H4i3wX4ekJxAJE07T95hhX85i riq8t1bfZVk+7tkeX7DEXr2tCIUucA/CTpqWr/X6R24gsfykV9vJC2J2N8LW8drR e+9UhSOtBn4B4GaXL1VkW6FN3Ij3C+5ICUSCcMFsfGwXK+Okol4a0cI4fukNc4DO i48JU1BLRdm/IJBAbzSWIuX3/jth+xz7agRGfoMAy790XsoviuykyQB7aHoQWbqY C4qWBkPle5p5AXw+61mGUMpLmnVsdwasSDgcET3gBq0dnC/iSKLqiJAwoejbIvYD 5oBWp92LhMqMT60tL7TmO9Y2qCSDoBn5GMpb79Ef8uze7aeEw9j2+hYvYkHCG8X1 YLMG9edz04xO2gduQAP9OTtHTug9ZyMIKjkpG4+DqsOBRhSAgc8GdOZDBFjHK3J9 7Besr5PPPDfS3C5gk0a1kpPM8YF+6h8IdfmB3ru2TUs3Cm560KL4eEOIVJZtgXl6 dGWn0ZXL9XDinbrimGlU9t67xPNFTIrrQM8tmtT10hnsAKLCP5C0NeeY/a44dvqR wPNtMK3/P92akl19+VjgitfK2vHuFO69Wx0/nF6Oy5apbxj476vwZqsqMKlmJnz5 cTkd3kw4FunpnwSvoFLHZvKjQ+9xeWfubISt7meUgtS=[end_key] KEEP IT
Emails

91645@PROTONMAIL.CH

61258@ECLIPSO.CH

Extracted

Path

C:\Users\Admin\Desktop\GrantPush.mp4.bbawasted_info.txt

Family

wastedlocker

Ransom Note
BBA Aviation YOUR NETWORK IS ENCRYPTED NOW USE 91645@PROTONMAIL.CH | 61258@ECLIPSO.CH TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]eWiVIWOKyZhi+k4Xk9XmHRTyqh1mou9rR63QBvua+mGoSRZtf2IP+pYcmJDG60+2 +HXobnzuw/0tJZXCdKVo7vKbYiFrtS+fjQbaUA4uDnG0lBiPwFZrlQ8/5jjSrNCc UBIy0bNpN2nUolQAYBS24NFf+Kws73BEg4rBWfiJchPaj/4exqexSwskjVo0S+ky OeNPHLfkzenJDLlTSK2gYJ8yzn3BhfDDxYNz+MQHPPANfEcWyuUyPTUspbFBGT10 kGtlzKdsd0w3lO31V2gsTcxy+AH3n66oPOJGwR2TKFVulbwkgIiY/0k3UHx8QK40 gZDuufCgscoq7rnyRn4+xIPdjtaCXIZVgKzfwmUdwGSSh93ywcXJlNq1Y8XI3Tb+ /XIHHVfU+fmFPKEyBdZRAt5cXXMssIsc0AKsuELWu/z6Kfxnu2bdyAPgDnMTSDxa IpDFInXnGk+9i0VDeiKxeII8dCV2IBIV4AUnUxC7FDQ+P/q0jYNRM8laajjJ+Fbm sH5gl6OoCHl8bSUK7aHZSbFjffon+ua8C3MZxJl6Nzq5J74Lo2CX+gErcGw4RQqI onaDAnY/HYGluGJqc4TmH7SoptRZj5Wcx4hZahAnpmck9wDWKg9e0kTGgQnoHRYh dnwPfw97uYc8/c0edQlIWqUU0v1KQ1zo0CWdtK2PYp2=[end_key] KEEP IT
Emails

91645@PROTONMAIL.CH

61258@ECLIPSO.CH

Targets

    • Target

      bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

    • Size

      60KB

    • MD5

      0ed2ca539a01cdb86c88a9a1604b2005

    • SHA1

      4fed7eae00bfa21938e49f33b7c6794fd7d0750c

    • SHA256

      bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8

    • SHA512

      34dad101cd7c5f9ff2267674d224986b9274e0e17d9ae665ca1af4ffa57408106238b1e248045465ab17c72a4b92473ab3714aefb705d95f9725a4251379c7e2

    Score
    10/10
    ransomwarepersistencediscoveryexploitwastedlocker

    • WastedLocker

      Ransomware family seen in the wild since May 2020.

      ransomwarewastedlocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks